Hey everyone,
So this feels like something I should be able to do with the standard search language, but I am failing at it.
I have a result, coming from a custom command, that contains field like this:
entries.0.category\_name, entries.1.category\_name,...,entries.n.category\_name
I would like to take all of these and either create a multi-value field with all of the values in them, or create just one string joining all of the values of entries.*.category_name together, with a comma.
I want something like:
| eval mvjoin(entries.*.category_name, ",")
But Splunk does not like that.
Any thoughts?
Thanks,
Dave
Try this:
...| eval categories = "" | foreach entries.*.category_name [eval categories='<<FIELD>>' + "," + categories]| makemv delim="," categories
Try this:
...| eval categories = "" | foreach entries.*.category_name [eval categories='<<FIELD>>' + "," + categories]| makemv delim="," categories
So basically he has fields that are named "entries.InsertNumberHere.category_name" and would like to combine them into one multi-value field. Variably Named columns.
Hey somesoni2,
Thanks for the suggestion, but I want to join the values across an unknown number of fields, each named entries.n.category. That is, my example above is the field names, not the value in the fields.
Thanks,
Dave
Try split command.
|
This will split value in the fieldName by comma and create a multivalued field out of it.